By default, an SD-WAN rule has the following settings.

config system sdwan

    config service

        edit 1

            set gateway disable

            set default disable

    end

end

With this configuration, SD-WAN steers the traffic by applying the following criteria:

SD-WAN rules match only when some SD-WAN member is the best route ('set default disable'):

1. FortiGate checks if the session is eligible for SD-WAN by performing a standard routing table (FIB) lookup to find the best-match interface. If multiple best routes exist, FortiOS will select a random interface having the best route as the best-match.
2. The traffic is eligible for SD-WAN rule lookup if and only if the best-match interface is an SD-WAN member. If it is an SD-WAN member, FortiGate checks the configured SD-WAN rules.
3. Once an SD-WAN rule is matched and evaluated, the system selects an SD-WAN member to forward the traffic based on the interface selection strategy configured in the rule. This may or may not be the same as the best-match interface.

Note: The default eligibility check for SD-WAN assumes that Equal Cost Multipath is not in use between interfaces configured for SD-WAN and those not configured for SD-WAN. It is recommended to ensure all best routes for destinations that are intended be forwarded by SD-WAN reference an SD-WAN member, see the article 'Technical Tip: Multiple default routes where SD-WAN rules are not preferred'.

An SD-WAN member is selected only if it has a valid route to the destination ('set gateway disable'):

1. Once an SD-WAN member is selected to forward the traffic, FortiGate will send the traffic if the member has a feasible (valid) route to the destination. The route need not be the longest match.
2. If no valid route exists for the member, the system will skip to the next available SD-WAN member/rule.
3. If no matching member exists on any matching SD-WAN rule, FortiGate will route the traffic according to the FIB lookup.

Scenario 1:

• Client pings 8.8.8.8.
• SD-WAN member: port4.
• Not SD-WAN members: port1 and port3.
• Configuration:

config system sdwan

    config members

        edit 1

            set interface "port4"

            set gateway 192.168.1.3

        next

    end

end

config router static

    edit <index>

        set gateway 192.168.1.2

        set device "port4"  <--- In most cases, it is convenient to configure the matching sdwan-zone instead of an individual egress device. Device configuration is used here to demonstrate the effect of 'set gateway enable'.

    next

end

FGT-1 # diagnose sys sdwan member
Member(1): transport-group: 0, interface: port4, flags=0x0 , gateway: 192.168.1.3, source 192.168.1.1, priority: 1 1024, weight: 0

FGT-1 # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(1):
1: Seq_num(3 port1), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected
Dst address(1):
0.0.0.0-255.255.255.255

FGT-1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

            O - OSPF, IA - OSPF inter area

            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

            E1 - OSPF external type 1, E2 - OSPF external type 2

            i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

            V - BGP VPNv4

            * - candidate default

Routing table for VRF=0

S*       0.0.0.0/0 [1/0] via 192.168.1.2, port4, [1/0]

S        8.8.8.8/32 [10/0] via 10.191.31.254, port1, [1/0]

C        10.10.10.0/24 is directly connected, port3

C        10.191.16.0/20 is directly connected, port1

S        100.100.1.0/24 [1/0] via 192.168.1.2, port4, [1/0]

C        192.168.1.0/24 is directly connected, port4

Possible cases:

• When both Default and Gateway are disabled on all relevant SD-WAN rules, FortiGate will first perform a route lookup to verify the best route to the destination is through an SD-WAN member. In this case, the static route '8.8.8.8/32 [10/0] via 10.191.31.254, port1' is the best route. Since port1 is not an SD-WAN member, this traffic is not eligible for SD-WAN. As a result, FortiGate will not match any SD-WAN rules and will instead route the traffic over port1. The traffic will be forwarded through port1 if allowed by firewall policy, or be dropped if not allowed.
  
  
• When Default is enabled and Gateway is disabled, FortiGate no longer evaluates whether the best route to the destination is via an SD-WAN member. Instead, FortiGate checks the session information against SD-WAN rules which have 'set default enable'. If a match is found, FortiGate will check if any SD-WAN member on the rule can route the traffic. Since port4 is an SD-WAN member and has the valid static route '0.0.0.0/0 [1/0] via 192.168.1.2, port4', it is able to forward traffic to 8.8.8.8. Since both SD-WAN criteria are fulfilled, FortiGate forwards the traffic through port4 towards ISP2, subject to the firewall policy.
  
  
• When both Default and Gateway are enabled, the behavior mirrors the scenario where only Default is enabled but next-hop from the routing table will be overridden by the SD-WAN gateway if one exists. As a result of this, in most deployments, a valid route using the SD-WAN member is not required. In this example, since port4 is an SD-WAN member, FortiGate matches the SD-WAN rule. Since the 'gateway enable' command is active, FortiGate skips the check for a valid route, focusing only on whether the member has a gateway to send traffic to. In this case, port4 will forward the traffic to ISP2 using 192.168.1.3 as the gateway rather than 192.168.1.2.
  
  
• When Default is disabled but Gateway is enabled, FortiGate applies its primary rule: checking if the best route to the destination is through an SD-WAN member. Since the best route to the destination is through port1 (which is not part of the SD-WAN), FortiGate will not match the SD-WAN rule and will direct the traffic through port1 based on the FIB.

Scenario 2:

• Client pings 8.8.8.8.
• SD-WAN members: port2 and port4.
• No SD-WAN members: port1 and port3.
• Configuration:

FGT-1 # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(1):
1: Seq_num(3 port1), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected
Dst address(1):
0.0.0.0-255.255.255.255

FGT-1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

            O - OSPF, IA - OSPF inter area

            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

            E1 - OSPF external type 1, E2 - OSPF external type 2

            i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

            V - BGP VPNv4

            * - candidate default

Routing table for VRF=0

S*       0.0.0.0/0 [1/0] via 10.191.47.254, port2, [1/0]

S        8.8.8.8/32 [10/0] via 10.191.31.254, port1, [1/0]

C        10.10.10.0/24 is directly connected, port3

C        10.191.16.0/20 is directly connected, port1

C        10.191.32.0/20 is directly connected, port2

S        100.100.1.0/24 [1/0] via 192.168.1.2, port4, [1/0]

C        192.168.1.0/24 is directly connected, port4

Possible cases:

• When both Default and Gateway are disabled, as explained earlier, FortiGate will first check if the best route to the destination is through an SD-WAN member. Since port1 is not part of the SD-WAN, the same logic applies: the SD-WAN rule will not be matched, and the traffic will be routed via port1 based on the FIB, ultimately exiting through ISP1.

• When Default is enabled and Gateway is disabled, FortiGate will check if any SD-WAN member has a route to the destination, even if it is not the best route. If this condition is met, FortiGate will match the created SD-WAN rule and then proceed to analyze whether the members of that rule have a valid route to the destination. In this instance, FortiGate will find a possible route to the destination through the SD-WAN member port2, matching the rule in place. However, since the only member in that rule is port4, and it does not have a valid route to the destination, the traffic will be handled according to the implicit SD-WAN rule. This means FortiGate will apply the load-balancing method between the members.

• When both Default and Gateway are enabled, FortiGate will send the traffic without evaluating whether the best route to the destination is SD-WAN, as long as an SD-WAN member has a route to the destination to match the rule. Once this happens, the traffic will be directed to the member with the highest priority or best SLA. In this case, since port2 is an SD-WAN member, the traffic will match the rule, and because the only member in the rule is port4, the traffic will be directed to it regardless of whether it has a valid route to the destination. The traffic will then be routed to port4 towards FGT-2, relying on it to forward the traffic appropriately.

• When Default is disabled but Gateway is enabled, FortiGate will check the best route to the destination and find that this route belongs to port1, which is not an SD-WAN member. As a result, FortiGate will not evaluate the SD-WAN rule, and the traffic will be handled by the FIB. Consequently, the traffic will be directed to ISP1 through port1.

In summary, understanding the behavior of the Default and Gateway settings in SD-WAN is essential for optimizing traffic flow and maintaining smooth network performance. With the correct configuration, SD-WAN's features can be fully leveraged, adding both flexibility and reliability to the network. It is crucial to test and verify the setup to ensure everything functions as expected.

Related articles:

Technical Tip: Explaining the SD-WAN rule matching process

Technical Tip: Multiple default routes where SD-WAN rules are not preferred